CVE-2025-64538
Published: 10 December 2025
Summary
CVE-2025-64538 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Experience Manager. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying vendor-provided patches directly remediates the specific DOM-based XSS flaw in Adobe Experience Manager versions 6.5.23 and earlier.
Filtering information output from the web application prevents malicious scripts from being executable in the victim's browser context during DOM manipulation.
Validating user inputs server-side blocks or sanitizes malicious payloads that could be used to trigger DOM-based XSS on crafted pages.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DOM-based XSS in public-facing Adobe Experience Manager enables exploitation of public-facing application (T1190) and facilitates stealing web session cookies for session takeover (T1539).
NVD Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed…
more
in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page.
Deeper analysisAI
CVE-2025-64538 is a DOM-based Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Experience Manager versions 6.5.23 and earlier. This flaw enables arbitrary code execution by allowing attackers to inject malicious scripts into a web page, which then execute in the context of the victim's browser. Published on 2025-12-10, the vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), reflecting its high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.
An unauthenticated attacker can exploit this vulnerability by luring a victim to visit a crafted malicious page, requiring user interaction. Once the victim accesses the page, the injected scripts execute within their browser session, potentially leading to session takeover. This grants the attacker high-level access to the victim's authenticated context in Adobe Experience Manager, amplifying risks to data confidentiality and integrity without impacting availability.
Adobe's security advisory APSB25-115, available at https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html, details the vulnerability and provides guidance on mitigations, including available patches for affected versions.
Details
- CWE(s)